Alex Kreidler

ProjectsBooksBlog

Open-Source Authentication Systems

Dec 24, 2021

You want to build a great new app. You know what you’ll use for your frontend, backend, database, for payments and sending emails. But what about authentication?

Authentication is the process of evaluating a credential provided by a user to establish their identity. This could be a username and password, social login, or a hardware key. It’s sometimes called authn (to distinguish from authorization, or authz). The user’s device will store a user ID and possibly other information, so you can know that the user is making certain requests, and provide them access to the data they are authorized to use.

There are lots of commercial SaaS authentication solutions, but in this analysis, we’ll evaluate open source options.

Keycloak is what I’d call the gold standard of open source auth. I’ve read on Hacker News that “you’ll never get fired for using Keycloak.” It’s written in Java as one large application. It has the most features of any of the options here, from compliance with standards like OpenID, SAML, LDAP, etc, to password strength requirements to an entire authorization policy system as well.

Downsides: Docs are not great, especially of the “guide” or “cookbook” type. The styling options are through “themes” that use CSS and a Java templating language for HTML. For most people, they would need to learn specific class names to change styles. This part of Keycloak may be less ergonomic for devs who want to build the login, signup, verification, and reset flows into the frontend themselves with whatever framework they are using. Some people have expressed concerns that with a large number of “realms,” Keycloak takes up a lot more resources. For my use-case I don’t think I’ll run into this issue

By default, Keycloak uses the PBKDF2 hashing algorithm, although there is an extension to use BCrypt, which many other authn options use. This might be appealing if you want to migrate from/to Keycloak from another system.

A lot of examples for KC use the Admin UI, which might be a bit off-putting for devs who want things in config files. However, it has a robust API you can use, and has new features to write configs as static files and import them, and to configure it via Kubernetes CRDs.

They are working on Keycloak.X, it’s next generation, which will include better performance, cloud-native deployments, more modular architecture, a headless option and better ways to build the login UI, and more. Keycloak has raving reviews on Hacker News.

SuperTokens is a relatively new option. It comprises a Core API service written in Java which uses a Postgres database, and several backend libraries in NodeJS, Go, Python, which talk to that core API and provide their own “frontend API” (frontend in the sense that it is in front of other backend services). You add the middleware from those libraries to your HTTP library/framework, and it creates routes like /auth/signin. The libs use a pattern of “recipes” for common functionality, configured in an init call to the middleware which instantiates the appropriate classes. You can pass functions to do things like send an email verification email.

SuperTokens also includes several frontend libraries: a headless JS lib and a functional out-of-the-box collection of web UI components in React, among others. You can override both styles and sub-components of the interface by passing an object as props.

They have some great blog posts which helped me understand the importance of good session management for proper security.

Downsides: much newer, with less of a community. Docs are great for examples, not so much for API reference. I ran into some issues using the Python SDK with a FastAPI service.

AuthN is a Go service in a single binary that offers common authentication options. Its docs are great in my opinion: the architecture explanation is really nice.

Downsides: It does have a much more limited feature set. For example, it doesn’t support email verification. While I understand the desire to have a strong boundary and avoid feature creep, at the same time for a new project I want something that “just works” for most of my requirements without having to build it myself if I can help it.

ORY Stack: Ory Kratos is an auth system. Docs seemed good but the system seemed quite complex with a lot of boilerplate configuration to do something that’s one line with SuperTokens (providers=[GoogleProvider()])